fix: remove presigned branding upload

.env.example

@@ -180,20 +180,6 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=
 NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=
 # OPTIONAL: Comma-separated list of email domains allowed to sign up (e.g., example.com,acme.org).
 NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=
-# OPTIONAL: Set to "true" to disable all signin methods (email, Google, Microsoft, OIDC).
-NEXT_PUBLIC_DISABLE_SIGNIN=
-# OPTIONAL: Set to "true" to disable email/password signin only. Also closes /forgot-password and /reset-password.
-NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=
-# OPTIONAL: Set to "true" to hide the Google signin button.
-NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=
-# OPTIONAL: Set to "true" to hide the Microsoft signin button.
-NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=
-# OPTIONAL: Set to "true" to hide the OIDC signin button.
-NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=
-# OPTIONAL: When OIDC is the only enabled signin transport, /signin auto-redirects
-# to the OIDC provider (rendering only a spinner). Set to "true" to disable this
-# and keep showing the signin page.
-NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=
 # OPTIONAL: Set to true to use internal webapp url in browserless requests.
 NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=false
 

apps/docs/content/docs/self-hosting/configuration/environment.mdx

@@ -272,12 +272,6 @@ For detailed certificate setup, see [Signing Certificate](/docs/self-hosting/con
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`       | Block new accounts via Microsoft. Existing linked users can still sign in           | `false` |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`            | Block new accounts via OIDC, including the organisation portal                      | `false` |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS`        | Comma-separated list of email domains allowed to sign up (e.g., `example.com,acme.org`) |         |
-| `NEXT_PUBLIC_DISABLE_SIGNIN`                 | Master switch. Disable all signin methods application-wide                          | `false` |
-| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN`  | Disable email/password signin. Also closes `/forgot-password` and `/reset-password` | `false` |
-| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`          | Hide the Google signin button                                                       | `false` |
-| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`       | Hide the Microsoft signin button                                                    | `false` |
-| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`            | Hide the OIDC signin button                                                         | `false` |
-| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`     | Disable the automatic `/signin` redirect when OIDC is the only enabled transport    | `false` |
 | `NEXT_PUBLIC_POSTHOG_KEY`             | PostHog API key for analytics and feature flags                                     |         |
 | `NEXT_PUBLIC_FEATURE_BILLING_ENABLED` | Enable billing features                                                             | `false` |
 
@@ -309,44 +303,6 @@ NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
 NEXT_PUBLIC_DISABLE_SIGNUP="true"
 ```
 
-### Sign-in Restrictions
-
-You can control which methods are available for users to sign in with the following environment variables:
-
-- **`NEXT_PUBLIC_DISABLE_SIGNIN`** (master switch): Set to `true` to block all signin methods (email/password, Google, Microsoft, OIDC). Hides every signin entry point on `/signin` and rejects email/password signin server-side with a `SIGNIN_DISABLED` error.
-- **`NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN`**: Set to `true` to disable email/password signin only. The email/password form is hidden, the `/forgot-password` and `/reset-password` pages redirect to `/signin`, and the corresponding server endpoints reject requests. SSO signin is unaffected.
-- **`NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`**, **`NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`**: Set to `true` to hide the matching SSO button on the signin page. Useful when an SSO provider is kept configured for account linking but not advertised as a signin entry point.
-
-These flags are opt-in: when none are set, signin behaviour is unchanged from a stock Documenso instance.
-
-```bash
-# Allow only OIDC signin (e.g. enterprise SSO-only)
-NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
-NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
-NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
-
-# Or disable signin entirely
-NEXT_PUBLIC_DISABLE_SIGNIN="true"
-```
-
-### OIDC Auto-redirect
-
-When OIDC is the only enabled signin transport on your instance, `/signin` automatically redirects users straight to the OIDC provider instead of showing the signin form. The page renders a spinner while the redirect happens. No extra configuration is required — disabling every other signin method is enough to trigger it.
-
-- **`NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`**: Set to `true` to opt out of the automatic redirect and keep rendering the signin page even when OIDC is the only enabled transport.
-
-The redirect only triggers when OIDC is configured and email/password, Google, and Microsoft signin are all disabled. If any other transport remains enabled, the signin form is shown as normal.
-
-```bash
-# OIDC-only signin: disabling all other methods auto-redirects to the provider
-NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
-NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
-NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
-
-# Opt out of the auto-redirect while still OIDC-only
-# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
-```
-
 ---
 
 ## AI Features
@@ -490,16 +446,6 @@ NEXT_PRIVATE_SIGNING_PASSPHRASE="your-certificate-password"
 # NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP="true"
 # NEXT_PUBLIC_DISABLE_OIDC_SIGNUP="true"
 # NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS="example.com,acme.org"
-
-# Sign-in restrictions (optional)
-# NEXT_PUBLIC_DISABLE_SIGNIN="true"
-# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN="true"
-# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN="true"
-# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN="true"
-# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN="true"
-
-# Opt out of the automatic OIDC redirect when OIDC is the only enabled transport (optional)
-# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT="true"
 ```
 
 ---

apps/docs/content/docs/self-hosting/deployment/docker-compose.mdx

@@ -163,19 +163,6 @@ NEXT_PUBLIC_DISABLE_SIGNUP=false
 # NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=true
 # NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=true
 # NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=example.com,acme.org
-
-# Signin restrictions (optional)
-# Master switch — disables every signin method
-# NEXT_PUBLIC_DISABLE_SIGNIN=true
-# Per-method switches (optional). Each disables that signin path.
-# NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=true
-# NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=true
-# NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=true
-# NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=true
-
-# When OIDC is the only enabled transport, /signin auto-redirects to the provider.
-# Set this to opt out and keep showing the signin page (optional).
-# NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=true
 ```
 
 <Callout type="info">Generate secure secrets using: `openssl rand -base64 32`</Callout>

apps/docs/content/docs/self-hosting/deployment/docker.mdx

@@ -112,12 +112,6 @@ See [Email Configuration](/docs/self-hosting/configuration/email) for other tran
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`      | Block new accounts via Microsoft OAuth                         | `false`                   |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`           | Block new accounts via OIDC (incl. organisation portal)        | `false`                   |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS`       | Comma-separated list of allowed signup email domains           |                           |
-| `NEXT_PUBLIC_DISABLE_SIGNIN`                | Master switch — disable all signin methods                     | `false`                   |
-| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only                             | `false`                   |
-| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`         | Hide the Google signin button                                  | `false`                   |
-| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`      | Hide the Microsoft signin button                               | `false`                   |
-| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`           | Hide the OIDC signin button                                    | `false`                   |
-| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT`    | Disable auto-redirect to OIDC when it is the only transport     | `false`                   |
 
 For the complete list, see [Environment Variables](/docs/self-hosting/configuration/environment).
 

apps/docs/content/docs/self-hosting/deployment/railway.mdx

@@ -159,12 +159,6 @@ NEXT_PRIVATE_SMTP_FROM_ADDRESS=noreply@yourdomain.com
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`| Block new accounts via Microsoft OAuth                 | `false` |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`     | Block new accounts via OIDC (incl. organisation portal)| `false` |
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS` | Comma-separated list of allowed signup email domains   |         |
-| `NEXT_PUBLIC_DISABLE_SIGNIN`          | Master switch — disable all signin methods             | `false` |
-| `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN` | Disable email/password signin only                     | `false` |
-| `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN`   | Hide the Google signin button                          | `false` |
-| `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN`| Hide the Microsoft signin button                       | `false` |
-| `NEXT_PUBLIC_DISABLE_OIDC_SIGNIN`     | Hide the OIDC signin button                            | `false` |
-| `NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT` | Disable auto-redirect to OIDC when it is the only transport | `false` |
 | `NEXT_PRIVATE_SIGNING_PASSPHRASE`     | Passphrase for signing certificate                     | -       |
 | `DOCUMENSO_DISABLE_TELEMETRY`     | Disable anonymous telemetry        | `false` |
 

apps/remix/app/components/forms/branding-preferences-form.tsx

@@ -1,5 +1,10 @@
 import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
 import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import {
+  BRANDING_LOGO_ALLOWED_TYPES,
+  BRANDING_LOGO_MAX_SIZE_BYTES,
+  BRANDING_LOGO_MAX_SIZE_MB,
+} from '@documenso/lib/constants/branding';
 import { DEFAULT_BRAND_COLORS, DEFAULT_BRAND_RADIUS } from '@documenso/lib/constants/theme';
 import { ZCssVarsSchema } from '@documenso/lib/types/css-vars';
 import { cn } from '@documenso/ui/lib/utils';
@@ -21,15 +26,15 @@ import { z } from 'zod';
 import { useOptionalCurrentTeam } from '~/providers/team';
 import { useCspNonce } from '~/utils/nonce';
 
-const MAX_FILE_SIZE = 5 * 1024 * 1024; // 5MB
-const ACCEPTED_FILE_TYPES = ['image/jpeg', 'image/png', 'image/webp'];
-
 const ZBrandingPreferencesFormSchema = z.object({
   brandingEnabled: z.boolean().nullable(),
   brandingLogo: z
     .instanceof(File)
-    .refine((file) => file.size <= MAX_FILE_SIZE, 'File size must be less than 5MB')
-    .refine((file) => ACCEPTED_FILE_TYPES.includes(file.type), 'Only .jpg, .png, and .webp files are accepted')
+    .refine(
+      (file) => file.size <= BRANDING_LOGO_MAX_SIZE_BYTES,
+      `File size must be less than ${BRANDING_LOGO_MAX_SIZE_MB}MB`,
+    )
+    .refine((file) => BRANDING_LOGO_ALLOWED_TYPES.includes(file.type), 'Only .jpg, .png, and .webp files are accepted')
     .nullish(),
   brandingUrl: z.string().url().optional().or(z.literal('')),
   brandingCompanyDetails: z.string().max(500).optional(),
@@ -199,7 +204,7 @@ export function BrandingPreferencesForm({
                       <FormControl className="relative">
                         <Input
                           type="file"
-                          accept={ACCEPTED_FILE_TYPES.join(',')}
+                          accept={BRANDING_LOGO_ALLOWED_TYPES.join(',')}
                           disabled={!isBrandingEnabled}
                           onChange={(e) => {
                             const file = e.target.files?.[0];

apps/remix/app/components/forms/signin.tsx

@@ -58,7 +58,6 @@ export type TSignInFormSchema = z.infer<typeof ZSignInFormSchema>;
 export type SignInFormProps = {
   className?: string;
   initialEmail?: string;
-  isEmailPasswordSigninEnabled?: boolean;
   isGoogleSSOEnabled?: boolean;
   isMicrosoftSSOEnabled?: boolean;
   isOIDCSSOEnabled?: boolean;
@@ -69,7 +68,6 @@ export type SignInFormProps = {
 export const SignInForm = ({
   className,
   initialEmail,
-  isEmailPasswordSigninEnabled = true,
   isGoogleSSOEnabled,
   isMicrosoftSSOEnabled,
   isOIDCSSOEnabled,
@@ -326,78 +324,66 @@ export const SignInForm = ({
     <Form {...form}>
       <form className={cn('flex w-full flex-col gap-y-4', className)} onSubmit={form.handleSubmit(onFormSubmit)}>
         <fieldset className="flex w-full flex-col gap-y-4" disabled={isSubmitting || isPasskeyLoading}>
-          {isEmailPasswordSigninEnabled && (
-            <>
-              <FormField
-                control={form.control}
-                name="email"
-                render={({ field }) => (
-                  <FormItem>
-                    <FormLabel>
-                      <Trans>Email</Trans>
-                    </FormLabel>
+          <FormField
+            control={form.control}
+            name="email"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Email</Trans>
+                </FormLabel>
 
-                    <FormControl>
-                      <Input type="email" {...field} />
-                    </FormControl>
+                <FormControl>
+                  <Input type="email" {...field} />
+                </FormControl>
 
-                    <FormMessage />
-                  </FormItem>
-                )}
-              />
+                <FormMessage />
+              </FormItem>
+            )}
+          />
 
-              <FormField
-                control={form.control}
-                name="password"
-                render={({ field }) => (
-                  <FormItem>
-                    <FormLabel>
-                      <Trans>Password</Trans>
-                    </FormLabel>
+          <FormField
+            control={form.control}
+            name="password"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Password</Trans>
+                </FormLabel>
 
-                    <FormControl>
-                      <PasswordInput {...field} />
-                    </FormControl>
+                <FormControl>
+                  <PasswordInput {...field} />
+                </FormControl>
 
-                    <FormMessage />
+                <FormMessage />
 
-                    <p className="mt-2 text-right">
-                      <Link
-                        to="/forgot-password"
-                        className="text-muted-foreground text-sm duration-200 hover:opacity-70"
-                      >
-                        <Trans>Forgot your password?</Trans>
-                      </Link>
-                    </p>
-                  </FormItem>
-                )}
-              />
+                <p className="mt-2 text-right">
+                  <Link to="/forgot-password" className="text-muted-foreground text-sm duration-200 hover:opacity-70">
+                    <Trans>Forgot your password?</Trans>
+                  </Link>
+                </p>
+              </FormItem>
+            )}
+          />
 
-              {turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
-                <Turnstile
-                  ref={turnstileRef}
-                  siteKey={turnstileSiteKey}
-                  options={{
-                    size: 'flexible',
-                    appearance: 'always',
-                  }}
-                />
-              )}
-
-              <Button
-                type="submit"
-                size="lg"
-                loading={isSubmitting}
-                className="dark:bg-documenso dark:hover:opacity-90"
-              >
-                {isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
-              </Button>
-            </>
+          {turnstileSiteKey && !isTwoFactorAuthenticationDialogOpen && (
+            <Turnstile
+              ref={turnstileRef}
+              siteKey={turnstileSiteKey}
+              options={{
+                size: 'flexible',
+                appearance: 'always',
+              }}
+            />
           )}
 
+          <Button type="submit" size="lg" loading={isSubmitting} className="dark:bg-documenso dark:hover:opacity-90">
+            {isSubmitting ? <Trans>Signing in...</Trans> : <Trans>Sign In</Trans>}
+          </Button>
+
           {!isEmbeddedRedirect && (
             <>
-              {isEmailPasswordSigninEnabled && hasSocialAuthEnabled && (
+              {hasSocialAuthEnabled && (
                 <div className="relative flex items-center justify-center gap-x-4 py-2 text-xs uppercase">
                   <div className="h-px flex-1 bg-border" />
                   <span className="bg-transparent text-muted-foreground">

apps/remix/app/routes/_authenticated+/o.$orgUrl.settings.branding.tsx

@@ -1,7 +1,6 @@
 import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
 import { useSession } from '@documenso/lib/client-only/providers/session';
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
-import { putFile } from '@documenso/lib/universal/upload/put-file';
 import { canExecuteOrganisationAction, isPersonalLayout } from '@documenso/lib/utils/organisations';
 import type { SanitizeBrandingCssWarning } from '@documenso/lib/utils/sanitize-branding-css';
 import { trpc } from '@documenso/trpc/react';
@@ -49,26 +48,29 @@ export default function OrganisationSettingsBrandingPage() {
 
   const { mutateAsync: updateOrganisationSettings } = trpc.organisation.settings.update.useMutation();
 
+  const { mutateAsync: updateOrganisationBrandingLogo } = trpc.organisation.settings.updateBrandingLogo.useMutation();
+
   const onBrandingPreferencesFormSubmit = async (data: TBrandingPreferencesFormSchema) => {
     try {
       const { brandingEnabled, brandingLogo, brandingUrl, brandingCompanyDetails, brandingColors, brandingCss } = data;
 
-      let uploadedBrandingLogo: string | undefined;
+      // Upload (or clear) the logo through the dedicated, server-validated route.
+      if (brandingLogo instanceof File || brandingLogo === null) {
+        const formData = new FormData();
 
-      if (brandingLogo) {
-        uploadedBrandingLogo = JSON.stringify(await putFile(brandingLogo));
-      }
+        formData.append('payload', JSON.stringify({ organisationId: organisation.id }));
 
-      // Empty the branding logo if the user unsets it.
-      if (brandingLogo === null) {
-        uploadedBrandingLogo = '';
+        if (brandingLogo instanceof File) {
+          formData.append('brandingLogo', brandingLogo);
+        }
+
+        await updateOrganisationBrandingLogo(formData);
       }
 
       const result = await updateOrganisationSettings({
         organisationId: organisation.id,
         data: {
           brandingEnabled: brandingEnabled ?? undefined,
-          brandingLogo: uploadedBrandingLogo,
           brandingUrl,
           brandingCompanyDetails,
           brandingColors,

apps/remix/app/routes/_authenticated+/t.$teamUrl+/settings.branding.tsx

@@ -1,6 +1,5 @@
 import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/organisation';
 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
-import { putFile } from '@documenso/lib/universal/upload/put-file';
 import { canExecuteOrganisationAction } from '@documenso/lib/utils/organisations';
 import type { SanitizeBrandingCssWarning } from '@documenso/lib/utils/sanitize-branding-css';
 import { trpc } from '@documenso/trpc/react';
@@ -38,6 +37,7 @@ export default function TeamsSettingsPage() {
   });
 
   const { mutateAsync: updateTeamSettings } = trpc.team.settings.update.useMutation();
+  const { mutateAsync: updateTeamBrandingLogo } = trpc.team.settings.updateBrandingLogo.useMutation();
 
   const canConfigureBranding = organisation.organisationClaim.flags.allowCustomBranding || !IS_BILLING_ENABLED();
 
@@ -48,22 +48,23 @@ export default function TeamsSettingsPage() {
     try {
       const { brandingEnabled, brandingLogo, brandingUrl, brandingCompanyDetails, brandingColors, brandingCss } = data;
 
-      let uploadedBrandingLogo: string | undefined;
+      // Upload (or clear) the logo through the dedicated, server-validated route.
+      if (brandingLogo instanceof File || brandingLogo === null) {
+        const formData = new FormData();
 
-      if (brandingLogo) {
-        uploadedBrandingLogo = JSON.stringify(await putFile(brandingLogo));
-      }
+        formData.append('payload', JSON.stringify({ teamId: team.id }));
 
-      // Empty the branding logo if the user unsets it.
-      if (brandingLogo === null) {
-        uploadedBrandingLogo = '';
+        if (brandingLogo instanceof File) {
+          formData.append('brandingLogo', brandingLogo);
+        }
+
+        await updateTeamBrandingLogo(formData);
       }
 
       const result = await updateTeamSettings({
         teamId: team.id,
         data: {
           brandingEnabled,
-          brandingLogo: uploadedBrandingLogo,
           brandingUrl: brandingUrl || null,
           brandingCompanyDetails: brandingCompanyDetails || null,
           brandingColors,

apps/remix/app/routes/_unauthenticated+/forgot-password.tsx

@@ -1,7 +1,6 @@
-import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
-import { Link, redirect } from 'react-router';
+import { Link } from 'react-router';
 
 import { ForgotPasswordForm } from '~/components/forms/forgot-password';
 import { appMetaTags } from '~/utils/meta';
@@ -10,14 +9,6 @@ export function meta() {
   return appMetaTags(msg`Forgot Password`);
 }
 
-export async function loader() {
-  if (!isSigninEnabledForProvider('email')) {
-    throw redirect('/signin');
-  }
-
-  return null;
-}
-
 export default function ForgotPasswordPage() {
   return (
     <div className="w-screen max-w-lg px-4">

apps/remix/app/routes/_unauthenticated+/reset-password.$token.tsx

@@ -1,4 +1,3 @@
-import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { getResetTokenValidity } from '@documenso/lib/server-only/user/get-reset-token-validity';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
@@ -14,10 +13,6 @@ export function meta() {
 }
 
 export async function loader({ params }: Route.LoaderArgs) {
-  if (!isSigninEnabledForProvider('email')) {
-    throw redirect('/signin');
-  }
-
   const { token } = params;
 
   const isValid = await getResetTokenValidity({ token });

apps/remix/app/routes/_unauthenticated+/reset-password._index.tsx

@@ -1,8 +1,7 @@
-import { isSigninEnabledForProvider } from '@documenso/lib/constants/auth';
 import { Button } from '@documenso/ui/primitives/button';
 import { msg } from '@lingui/core/macro';
 import { Trans } from '@lingui/react/macro';
-import { Link, redirect } from 'react-router';
+import { Link } from 'react-router';
 
 import { appMetaTags } from '~/utils/meta';
 
@@ -10,14 +9,6 @@ export function meta() {
   return appMetaTags(msg`Reset Password`);
 }
 
-export async function loader() {
-  if (!isSigninEnabledForProvider('email')) {
-    throw redirect('/signin');
-  }
-
-  return null;
-}
-
 export default function ResetPasswordPage() {
   return (
     <div className="w-screen max-w-lg px-4">

apps/remix/app/routes/_unauthenticated+/signin.tsx

@@ -1,11 +1,8 @@
-import { authClient } from '@documenso/auth/client';
 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import {
   IS_GOOGLE_SSO_ENABLED,
   IS_MICROSOFT_SSO_ENABLED,
-  IS_OIDC_AUTO_REDIRECT_DISABLED,
   IS_OIDC_SSO_ENABLED,
-  isSigninEnabledForProvider,
   isSignupEnabledForProvider,
   OIDC_PROVIDER_LABEL,
 } from '@documenso/lib/constants/auth';
@@ -14,7 +11,6 @@ import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
 import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import { Trans } from '@lingui/react/macro';
-import { Loader2Icon } from 'lucide-react';
 import { useEffect, useState } from 'react';
 import { Link, redirect, useSearchParams } from 'react-router';
 
@@ -32,20 +28,10 @@ export async function loader({ request }: Route.LoaderArgs) {
   const { isAuthenticated } = await getOptionalSession(request);
 
   // SSR env variables.
-  const isEmailPasswordSigninEnabled = isSigninEnabledForProvider('email');
-  const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED && isSigninEnabledForProvider('google');
-  const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED && isSigninEnabledForProvider('microsoft');
-  const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED && isSigninEnabledForProvider('oidc');
-
-  // Automatically redirect to OIDC when it is the only enabled signin transport,
-  // unless the redirect has been explicitly disabled via env.
-  const isOIDCOnlyTransport =
-    isOIDCSSOEnabled && !isEmailPasswordSigninEnabled && !isGoogleSSOEnabled && !isMicrosoftSSOEnabled;
-
-  const shouldAutoRedirectToOIDC = isOIDCOnlyTransport && !IS_OIDC_AUTO_REDIRECT_DISABLED;
-
+  const isGoogleSSOEnabled = IS_GOOGLE_SSO_ENABLED;
+  const isMicrosoftSSOEnabled = IS_MICROSOFT_SSO_ENABLED;
+  const isOIDCSSOEnabled = IS_OIDC_SSO_ENABLED;
   const oidcProviderLabel = OIDC_PROVIDER_LABEL;
-
   const isSignupEnabled =
     isSignupEnabledForProvider('email') ||
     (IS_GOOGLE_SSO_ENABLED && isSignupEnabledForProvider('google')) ||
@@ -61,28 +47,18 @@ export async function loader({ request }: Route.LoaderArgs) {
   }
 
   return {
-    isEmailPasswordSigninEnabled,
     isGoogleSSOEnabled,
     isMicrosoftSSOEnabled,
     isOIDCSSOEnabled,
     isSignupEnabled,
     oidcProviderLabel,
     returnTo,
-    shouldAutoRedirectToOIDC,
   };
 }
 
 export default function SignIn({ loaderData }: Route.ComponentProps) {
-  const {
-    isEmailPasswordSigninEnabled,
-    isGoogleSSOEnabled,
-    isMicrosoftSSOEnabled,
-    isOIDCSSOEnabled,
-    isSignupEnabled,
-    oidcProviderLabel,
-    returnTo,
-    shouldAutoRedirectToOIDC,
-  } = loaderData;
+  const { isGoogleSSOEnabled, isMicrosoftSSOEnabled, isOIDCSSOEnabled, isSignupEnabled, oidcProviderLabel, returnTo } =
+    loaderData;
 
   const { _ } = useLingui();
 
@@ -100,27 +76,6 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
     setIsEmbeddedRedirect(params.get('embedded') === 'true');
   }, []);
 
-  useEffect(() => {
-    if (!shouldAutoRedirectToOIDC) {
-      return;
-    }
-
-    void authClient.oidc.signIn({ redirectPath: returnTo ?? '/' });
-  }, [shouldAutoRedirectToOIDC, returnTo]);
-
-  if (shouldAutoRedirectToOIDC) {
-    return (
-      <div className="w-screen max-w-lg px-4">
-        <div className="flex flex-col items-center justify-center gap-y-4 py-12">
-          <Loader2Icon className="h-8 w-8 animate-spin text-muted-foreground" />
-          <p className="text-muted-foreground text-sm">
-            <Trans>Redirecting to {oidcProviderLabel || 'OIDC'}...</Trans>
-          </p>
-        </div>
-      </div>
-    );
-  }
-
   return (
     <div className="w-screen max-w-lg px-4">
       <div className="z-10 rounded-xl border border-border bg-neutral-100 p-6 dark:bg-background">
@@ -140,7 +95,6 @@ export default function SignIn({ loaderData }: Route.ComponentProps) {
         <hr className="-mx-6 my-4" />
 
         <SignInForm
-          isEmailPasswordSigninEnabled={isEmailPasswordSigninEnabled}
           isGoogleSSOEnabled={isGoogleSSOEnabled}
           isMicrosoftSSOEnabled={isMicrosoftSSOEnabled}
           isOIDCSSOEnabled={isOIDCSSOEnabled}

apps/remix/server/api/files/files.ts

@@ -1,9 +1,8 @@
 import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
 import { APP_DOCUMENT_UPLOAD_SIZE_LIMIT } from '@documenso/lib/constants/app';
-import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { AppError } from '@documenso/lib/errors/app-error';
 import { verifyEmbeddingPresignToken } from '@documenso/lib/server-only/embedding-presign/verify-embedding-presign-token';
 import { putNormalizedPdfFileServerSide } from '@documenso/lib/universal/upload/put-file.server';
-import { getPresignPostUrl } from '@documenso/lib/universal/upload/server-actions';
 import { prisma } from '@documenso/prisma';
 import { sValidator } from '@hono/standard-validator';
 import type { Prisma } from '@prisma/client';
@@ -12,14 +11,11 @@ import { Hono } from 'hono';
 import type { HonoEnv } from '../../router';
 import { checkEnvelopeFileAccess, handleEnvelopeItemFileRequest, resolveFileUploadUserId } from './files.helpers';
 import {
-  isAllowedUploadContentType,
-  type TGetPresignedPostUrlResponse,
   ZGetEnvelopeItemFileDownloadRequestParamsSchema,
   ZGetEnvelopeItemFileRequestParamsSchema,
   ZGetEnvelopeItemFileRequestQuerySchema,
   ZGetEnvelopeItemFileTokenDownloadRequestParamsSchema,
   ZGetEnvelopeItemFileTokenRequestParamsSchema,
-  ZGetPresignedPostUrlRequestSchema,
   ZUploadPdfRequestSchema,
 } from './files.types';
 import getEnvelopeItemPdfRoute from './routes/get-envelope-item-pdf';
@@ -61,29 +57,6 @@ export const filesRoute = new Hono<HonoEnv>()
       return c.json({ error: 'Upload failed' }, 500);
     }
   })
-  .post('/presigned-post-url', sValidator('json', ZGetPresignedPostUrlRequestSchema), async (c) => {
-    const userId = await resolveFileUploadUserId(c);
-
-    if (!userId) {
-      return c.json({ error: 'Unauthorized' }, 401);
-    }
-
-    const { fileName, contentType } = c.req.valid('json');
-
-    if (!isAllowedUploadContentType(contentType)) {
-      return c.json({ error: 'Unsupported content type' }, 400);
-    }
-
-    try {
-      const { key, url } = await getPresignPostUrl(fileName, contentType, userId);
-
-      return c.json({ key, url } satisfies TGetPresignedPostUrlResponse);
-    } catch (err) {
-      console.error(err);
-
-      throw new AppError(AppErrorCode.UNKNOWN_ERROR);
-    }
-  })
   .get(
     '/envelope/:envelopeId/envelopeItem/:envelopeItemId',
     sValidator('param', ZGetEnvelopeItemFileRequestParamsSchema),

apps/remix/server/api/files/files.types.ts

@@ -13,27 +13,6 @@ export const ZUploadPdfResponseSchema = DocumentDataSchema.pick({
 export type TUploadPdfRequest = z.infer<typeof ZUploadPdfRequestSchema>;
 export type TUploadPdfResponse = z.infer<typeof ZUploadPdfResponseSchema>;
 
-export const ALLOWED_UPLOAD_CONTENT_TYPES = ['application/pdf', 'image/jpeg', 'image/png', 'image/webp'] as const;
-
-export const isAllowedUploadContentType = (contentType: string): boolean => {
-  const normalizedContentType = contentType.split(';').at(0)?.trim().toLowerCase();
-
-  return ALLOWED_UPLOAD_CONTENT_TYPES.some((allowed) => allowed === normalizedContentType);
-};
-
-export const ZGetPresignedPostUrlRequestSchema = z.object({
-  fileName: z.string().min(1),
-  contentType: z.string().min(1),
-});
-
-export const ZGetPresignedPostUrlResponseSchema = z.object({
-  key: z.string().min(1),
-  url: z.string().min(1),
-});
-
-export type TGetPresignedPostUrlRequest = z.infer<typeof ZGetPresignedPostUrlRequestSchema>;
-export type TGetPresignedPostUrlResponse = z.infer<typeof ZGetPresignedPostUrlResponseSchema>;
-
 export const ZGetEnvelopeItemFileRequestParamsSchema = z.object({
   envelopeId: z.string().min(1),
   envelopeItemId: z.string().min(1),

apps/remix/server/router.ts

@@ -105,7 +105,6 @@ app.route('/api/auth', auth);
 
 // Files route.
 app.use('/api/files/upload-pdf', fileRateLimitMiddleware);
-app.use('/api/files/presigned-post-url', fileRateLimitMiddleware);
 app.route('/api/files', filesRoute);
 
 // AI route.

docker/production/compose.yml

@@ -64,12 +64,6 @@ services:
       - NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP}
       - NEXT_PUBLIC_DISABLE_OIDC_SIGNUP=${NEXT_PUBLIC_DISABLE_OIDC_SIGNUP}
       - NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS=${NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS}
-      - NEXT_PUBLIC_DISABLE_SIGNIN=${NEXT_PUBLIC_DISABLE_SIGNIN}
-      - NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN=${NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN}
-      - NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN=${NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN}
-      - NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN=${NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN}
-      - NEXT_PUBLIC_DISABLE_OIDC_SIGNIN=${NEXT_PUBLIC_DISABLE_OIDC_SIGNIN}
-      - NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT=${NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT}
       - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12}
       - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE}
       - NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS=${NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS}

packages/app-tests/e2e/api/v2/unauthorized-api-access/api-access-file-upload.spec.ts

@@ -44,46 +44,6 @@ test.describe('File upload endpoint authorization', () => {
     expect(res.status()).toBe(401);
   });
 
-  test('rejects an unauthenticated presigned-post-url request', async ({ request }) => {
-    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
-      headers: { 'Content-Type': 'application/json' },
-      data: { fileName: 'test.pdf', contentType: 'application/pdf' },
-    });
-
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(401);
-  });
-
-  test('rejects a presigned-post-url request with an invalid presign token', async ({ request }) => {
-    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
-      headers: {
-        'Content-Type': 'application/json',
-        Authorization: 'Bearer not-a-real-token',
-      },
-      data: { fileName: 'test.pdf', contentType: 'application/pdf' },
-    });
-
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(401);
-  });
-
-  test('rejects a presigned-post-url request with a disallowed content type', async ({ request }) => {
-    const { user, team } = await seedUser();
-    const presignToken = await createPresignTokenForUser(user.id, team.id);
-
-    const res = await request.post(`${WEBAPP_BASE_URL}/api/files/presigned-post-url`, {
-      headers: {
-        'Content-Type': 'application/json',
-        Authorization: `Bearer ${presignToken}`,
-      },
-      data: { fileName: 'malware.exe', contentType: 'application/x-msdownload' },
-    });
-
-    // Authenticated, but the content type is not on the allow-list.
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(400);
-  });
-
   test('allows an upload-pdf request authorized by a valid presign token', async ({ request }) => {
     const { user, team } = await seedUser();
     const presignToken = await createPresignTokenForUser(user.id, team.id);

packages/app-tests/e2e/branding-logo-optimise.spec.ts

@@ -0,0 +1,37 @@
+import { optimiseBrandingLogo } from '@documenso/lib/utils/images/logo';
+import { expect, test } from '@playwright/test';
+import sharp from 'sharp';
+
+const makePng = async (width = 1200, height = 1200) =>
+  sharp({
+    create: { width, height, channels: 3, background: { r: 10, g: 20, b: 30 } },
+  })
+    .png()
+    .toBuffer();
+
+test.describe('optimiseBrandingLogo', () => {
+  test('re-encodes a valid image to a PNG buffer', async () => {
+    const input = await makePng();
+
+    const output = await optimiseBrandingLogo(input);
+
+    const metadata = await sharp(output).metadata();
+
+    expect(metadata.format).toBe('png');
+  });
+
+  test('bounds the image to a maximum of 512px on its largest side', async () => {
+    const input = await makePng(2000, 1000);
+
+    const output = await optimiseBrandingLogo(input);
+
+    const metadata = await sharp(output).metadata();
+
+    expect(metadata.width).toBeLessThanOrEqual(512);
+    expect(metadata.height).toBeLessThanOrEqual(512);
+  });
+
+  test('rejects input that is not a valid image', async () => {
+    await expect(optimiseBrandingLogo(Buffer.from('this is not an image'))).rejects.toThrow();
+  });
+});

packages/app-tests/e2e/branding-logo-upload.spec.ts

@@ -0,0 +1,225 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { prisma } from '@documenso/prisma';
+import { seedUser } from '@documenso/prisma/seed/users';
+import { expect, type Page, test } from '@playwright/test';
+
+import { apiSignin } from './fixtures/authentication';
+
+test.describe.configure({ mode: 'parallel' });
+
+const LOGO_PATH = path.join(__dirname, '../../assets/logo.png');
+
+type MultipartFile = { name: string; mimeType: string; buffer: Buffer };
+
+const enableBrandingAndUpload = async (page: Page) => {
+  // Enable custom branding so the file input is no longer disabled.
+  await page.getByTestId('enable-branding').click();
+  await page.getByRole('option', { name: 'Yes' }).click();
+
+  // Upload the logo file through the real multipart route.
+  await page.locator('input[type="file"]').setInputFiles(LOGO_PATH);
+
+  await page.getByRole('button', { name: 'Update' }).first().click();
+  await expect(page.getByText('Your branding preferences have been updated').first()).toBeVisible();
+};
+
+/**
+ * POST a logo straight to the dedicated multipart tRPC route using the
+ * authenticated browser cookies. This bypasses the client-side form validation,
+ * which is the only way to exercise the server-side image validation /
+ * sanitisation (`zfdBrandingImageFile` + `optimiseBrandingLogo`) and the entitlement gate.
+ */
+const postOrganisationBrandingLogo = async (page: Page, organisationId: string, file: MultipartFile | null) => {
+  const multipart: Record<string, string | MultipartFile> = {
+    payload: JSON.stringify({ organisationId }),
+  };
+
+  if (file) {
+    multipart.brandingLogo = file;
+  }
+
+  return await page
+    .context()
+    .request.post(`${NEXT_PUBLIC_WEBAPP_URL()}/api/trpc/organisation.settings.updateBrandingLogo`, { multipart });
+};
+
+/**
+ * Grant the organisation the custom-branding entitlement. The positive branding
+ * flows require it whenever billing is enabled; with billing disabled the gate is
+ * bypassed, so this keeps these tests valid in both modes.
+ */
+const grantCustomBranding = async (organisationClaimId: string) => {
+  await prisma.organisationClaim.update({
+    where: { id: organisationClaimId },
+    data: { flags: { allowLegacyEnvelopes: true, allowCustomBranding: true } },
+  });
+};
+
+test('[BRANDING_LOGO]: uploads an organisation branding logo via the dedicated route', async ({ page }) => {
+  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+  await grantCustomBranding(organisation.organisationClaim.id);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/o/${organisation.url}/settings/branding`,
+  });
+
+  await enableBrandingAndUpload(page);
+
+  const settings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+    where: { id: organisation.organisationGlobalSettingsId },
+  });
+
+  expect(settings.brandingLogo).toBeTruthy();
+
+  const parsed = JSON.parse(settings.brandingLogo);
+  expect(parsed).toHaveProperty('type');
+  expect(parsed).toHaveProperty('data');
+});
+
+test('[BRANDING_LOGO]: uploads a team branding logo via the dedicated route', async ({ page }) => {
+  const { user, team, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+  await grantCustomBranding(organisation.organisationClaim.id);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/t/${team.url}/settings/branding`,
+  });
+
+  await enableBrandingAndUpload(page);
+
+  // TeamGlobalSettings has no `teamId` column (the FK lives on Team), so read it
+  // through the team relation.
+  const teamWithSettings = await prisma.team.findUniqueOrThrow({
+    where: { id: team.id },
+    include: { teamGlobalSettings: true },
+  });
+
+  expect(teamWithSettings.teamGlobalSettings?.brandingLogo).toBeTruthy();
+
+  const parsed = JSON.parse(teamWithSettings.teamGlobalSettings?.brandingLogo ?? '');
+  expect(parsed).toHaveProperty('type');
+  expect(parsed).toHaveProperty('data');
+});
+
+test('[BRANDING_LOGO]: clears the organisation branding logo when the user removes it', async ({ page }) => {
+  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+  await grantCustomBranding(organisation.organisationClaim.id);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/o/${organisation.url}/settings/branding`,
+  });
+
+  await enableBrandingAndUpload(page);
+
+  // Confirm the logo was stored before we clear it.
+  const settings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+    where: { id: organisation.organisationGlobalSettingsId },
+  });
+
+  expect(settings.brandingLogo).toBeTruthy();
+
+  // Remove the logo and save again.
+  await page.getByRole('button', { name: 'Remove' }).click();
+  await page.getByRole('button', { name: 'Update' }).first().click();
+
+  // Clearing the logo persists an empty string via the dedicated route.
+  await expect
+    .poll(async () => {
+      const updated = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+        where: { id: organisation.organisationGlobalSettingsId },
+      });
+
+      return updated.brandingLogo;
+    })
+    .toBe('');
+});
+
+test('[BRANDING_LOGO]: validates and sanitises the logo on the server', async ({ page }) => {
+  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+  await grantCustomBranding(organisation.organisationClaim.id);
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/o/${organisation.url}/settings/branding`,
+  });
+
+  // Positive control: a genuine PNG is accepted and stored. This also proves the
+  // direct multipart request shape matches what the route expects.
+  const validResponse = await postOrganisationBrandingLogo(page, organisation.id, {
+    name: 'logo.png',
+    mimeType: 'image/png',
+    buffer: fs.readFileSync(LOGO_PATH),
+  });
+
+  expect(validResponse.ok()).toBeTruthy();
+
+  const afterValid = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+    where: { id: organisation.organisationGlobalSettingsId },
+  });
+
+  expect(afterValid.brandingLogo).toBeTruthy();
+
+  // Bytes that pass the MIME/size allowlist but are not a real image must be
+  // rejected by the server (the `sharp` re-encode) without changing stored state.
+  const invalidResponse = await postOrganisationBrandingLogo(page, organisation.id, {
+    name: 'fake.png',
+    mimeType: 'image/png',
+    buffer: Buffer.from('this is definitely not a valid png'),
+  });
+
+  expect(invalidResponse.ok()).toBeFalsy();
+  expect(invalidResponse.status()).toBeGreaterThanOrEqual(400);
+  expect(invalidResponse.status()).toBeLessThan(500);
+
+  const afterInvalid = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+    where: { id: organisation.organisationGlobalSettingsId },
+  });
+
+  // The previously stored, valid logo is left untouched by the rejected upload.
+  expect(afterInvalid.brandingLogo).toBe(afterValid.brandingLogo);
+});
+
+test('[BRANDING_LOGO]: rejects setting a logo without the custom-branding entitlement', async ({ page }) => {
+  // The entitlement is only enforced when billing is enabled; with billing off
+  // the check is intentionally skipped server-side, so this can't be exercised.
+  test.skip(
+    process.env.NEXT_PUBLIC_FEATURE_BILLING_ENABLED !== 'true',
+    'Entitlement is only enforced when billing is enabled.',
+  );
+
+  // Seeded organisations have no `allowCustomBranding` claim flag.
+  const { user, organisation } = await seedUser({ isPersonalOrganisation: false });
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/o/${organisation.url}/settings/branding`,
+  });
+
+  const response = await postOrganisationBrandingLogo(page, organisation.id, {
+    name: 'logo.png',
+    mimeType: 'image/png',
+    buffer: fs.readFileSync(LOGO_PATH),
+  });
+
+  expect(response.ok()).toBeFalsy();
+
+  const settings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+    where: { id: organisation.organisationGlobalSettingsId },
+  });
+
+  expect(settings.brandingLogo).toBeFalsy();
+});

packages/app-tests/e2e/signing-branding.spec.ts

@@ -142,3 +142,38 @@ test('[SIGNING_BRANDING]: embedded signing does not render custom logo Brand Web
   await expect(page.locator(`a[href="${BRANDING_URL}"]`)).toHaveCount(0);
   await expect(page.getByRole('link', { name: `${team.name}'s Logo` })).toHaveCount(0);
 });
+
+test('[SIGNING_BRANDING]: custom logo renders when branding is enabled and is hidden when disabled', async ({
+  page,
+}) => {
+  const { user, team, organisation } = await seedUser();
+
+  await enableOrganisationBranding({
+    organisationGlobalSettingsId: organisation.organisationGlobalSettingsId,
+  });
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    teamId: team.id,
+    recipients: ['enabled-disabled-branding-signer@test.documenso.com'],
+    fields: [FieldType.SIGNATURE],
+    updateDocumentOptions: { internalVersion: 2 },
+  });
+
+  // Branding enabled → the custom logo is rendered on the signing page.
+  await page.goto(`/sign/${recipients[0].token}`);
+  await expectPlainBrandingLogo(page, `${team.name}'s Logo`);
+
+  // Disable branding while keeping the stored logo (the team inherits this).
+  await prisma.organisationGlobalSettings.update({
+    where: { id: organisation.organisationGlobalSettingsId },
+    data: { brandingEnabled: false },
+  });
+
+  // Branding disabled → the custom logo is gone and the Documenso fallback
+  // (an internal link to "/") is shown instead.
+  await page.goto(`/sign/${recipients[0].token}`);
+
+  await expect(page.getByRole('img', { name: `${team.name}'s Logo` })).toHaveCount(0);
+  await expect(page.locator('a[href="/"]').first()).toBeVisible();
+});

packages/app-tests/e2e/teams/team-groups.spec.ts

@@ -1,163 +0,0 @@
-import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
-import { generateDatabaseId } from '@documenso/lib/universal/id';
-import { prisma } from '@documenso/prisma';
-import { seedTeamMember } from '@documenso/prisma/seed/teams';
-import { seedUser } from '@documenso/prisma/seed/users';
-import { expect, type Page, test } from '@playwright/test';
-import { OrganisationGroupType, OrganisationMemberRole, TeamMemberRole } from '@prisma/client';
-
-import { apiSignin } from '../fixtures/authentication';
-
-const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
-
-test.describe.configure({ mode: 'parallel' });
-
-/**
- * Calls a team-group tRPC mutation directly, bypassing the UI.
- *
- * The UI only ever surfaces CUSTOM / INTERNAL_ORGANISATION groups, so these
- * authorisation rules must be enforced on the server - a crafted request can
- * target any `teamGroupId`, including the system-managed INTERNAL_TEAM groups.
- */
-const callTeamGroupMutation = (
-  page: Page,
-  procedure: 'team.group.delete' | 'team.group.update',
-  teamId: number,
-  input: Record<string, unknown>,
-) =>
-  page.context().request.post(`${WEBAPP_BASE_URL}/api/trpc/${procedure}`, {
-    headers: { 'content-type': 'application/json', 'x-team-id': teamId.toString() },
-    data: JSON.stringify({ json: input }),
-  });
-
-/**
- * Every team is created with three system-managed INTERNAL_TEAM groups
- * (admin/manager/member). They are the backbone of team-specific access and,
- * like organisation internal groups, must not be deletable - deleting them
- * silently strips team members of access while leaving the team row in place.
- */
-test('[TEAMS]: internal team groups cannot be deleted via the API', async ({ page }) => {
-  // Member inheritance OFF: membership is granted exclusively through the team's
-  // INTERNAL_TEAM groups, so removing them is what causes the access loss.
-  const { user: owner, team } = await seedUser({ inheritMembers: false });
-
-  // A direct team member whose access depends on the INTERNAL_TEAM member group.
-  const directMember = await seedTeamMember({ teamId: team.id, role: TeamMemberRole.MEMBER });
-
-  await apiSignin({ page, email: owner.email });
-
-  const internalTeamGroups = await prisma.teamGroup.findMany({
-    where: {
-      teamId: team.id,
-      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
-    },
-  });
-
-  // admin + manager + member.
-  expect(internalTeamGroups).toHaveLength(3);
-
-  for (const group of internalTeamGroups) {
-    const response = await callTeamGroupMutation(page, 'team.group.delete', team.id, {
-      teamId: team.id,
-      teamGroupId: group.id,
-    });
-
-    expect(response.status(), `INTERNAL_TEAM ${group.teamRole} group must not be deletable`).not.toBe(200);
-  }
-
-  // None of the internal groups were removed.
-  const remaining = await prisma.teamGroup.count({
-    where: {
-      teamId: team.id,
-      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
-    },
-  });
-
-  expect(remaining).toBe(3);
-
-  // The direct member therefore keeps their team access.
-  const memberStillHasAccess = await prisma.teamGroup.findFirst({
-    where: {
-      teamId: team.id,
-      organisationGroup: {
-        type: OrganisationGroupType.INTERNAL_TEAM,
-        organisationGroupMembers: {
-          some: { organisationMember: { userId: directMember.id } },
-        },
-      },
-    },
-  });
-
-  expect(memberStillHasAccess).not.toBeNull();
-});
-
-/**
- * Guards against over-blocking: user-created (CUSTOM) team groups are not
- * internal and must remain removable by team managers/admins.
- */
-test('[TEAMS]: custom team groups can still be deleted', async ({ page }) => {
-  const { user: owner, organisation, team } = await seedUser({ inheritMembers: false });
-
-  const customGroup = await prisma.organisationGroup.create({
-    data: {
-      id: generateDatabaseId('org_group'),
-      name: `custom-${team.url}`,
-      type: OrganisationGroupType.CUSTOM,
-      organisationRole: OrganisationMemberRole.MEMBER,
-      organisationId: organisation.id,
-      teamGroups: {
-        create: {
-          id: generateDatabaseId('team_group'),
-          teamId: team.id,
-          teamRole: TeamMemberRole.MEMBER,
-        },
-      },
-    },
-    include: { teamGroups: true },
-  });
-
-  const customTeamGroup = customGroup.teamGroups[0];
-
-  await apiSignin({ page, email: owner.email });
-
-  const response = await callTeamGroupMutation(page, 'team.group.delete', team.id, {
-    teamId: team.id,
-    teamGroupId: customTeamGroup.id,
-  });
-
-  expect(response.status()).toBe(200);
-
-  const deleted = await prisma.teamGroup.findUnique({ where: { id: customTeamGroup.id } });
-
-  expect(deleted).toBeNull();
-});
-
-/**
- * The same root cause affects updates: an INTERNAL_TEAM group's role must not be
- * editable either, otherwise a team admin could rewrite the backbone roles
- * (e.g. promote the member group to admin).
- */
-test('[TEAMS]: internal team groups cannot be updated via the API', async ({ page }) => {
-  const { user: owner, team } = await seedUser({ inheritMembers: false });
-
-  await apiSignin({ page, email: owner.email });
-
-  const internalMemberGroup = await prisma.teamGroup.findFirstOrThrow({
-    where: {
-      teamId: team.id,
-      teamRole: TeamMemberRole.MEMBER,
-      organisationGroup: { type: OrganisationGroupType.INTERNAL_TEAM },
-    },
-  });
-
-  const response = await callTeamGroupMutation(page, 'team.group.update', team.id, {
-    id: internalMemberGroup.id,
-    data: { teamRole: TeamMemberRole.ADMIN },
-  });
-
-  expect(response.status()).not.toBe(200);
-
-  const reloaded = await prisma.teamGroup.findUniqueOrThrow({ where: { id: internalMemberGroup.id } });
-
-  expect(reloaded.teamRole).toBe(TeamMemberRole.MEMBER);
-});

packages/auth/server/lib/errors/error-codes.ts

@@ -17,7 +17,6 @@ export const AuthenticationErrorCode = {
   // TwoFactorMissingSecret: 'TWO_FACTOR_MISSING_SECRET',
   // TwoFactorMissingCredentials: 'TWO_FACTOR_MISSING_CREDENTIALS',
   InvalidTwoFactorCode: 'INVALID_TWO_FACTOR_CODE',
-  SigninDisabled: 'SIGNIN_DISABLED',
   SignupDisabled: 'SIGNUP_DISABLED',
   SignupDisposableEmail: 'SIGNUP_DISPOSABLE_EMAIL',
   // IncorrectTwoFactorBackupCode: 'INCORRECT_TWO_FACTOR_BACKUP_CODE',

packages/auth/server/routes/email-password.ts

@@ -1,7 +1,6 @@
 import {
   isDisposableEmail,
   isEmailDomainAllowedForSignup,
-  isSigninEnabledForProvider,
   isSignupEnabledForProvider,
 } from '@documenso/lib/constants/auth';
 import { EMAIL_VERIFICATION_STATE } from '@documenso/lib/constants/email';
@@ -65,12 +64,6 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   .post('/authorize', sValidator('json', ZSignInSchema), async (c) => {
     const requestMetadata = c.get('requestMetadata');
 
-    if (!isSigninEnabledForProvider('email')) {
-      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
-        statusCode: 400,
-      });
-    }
-
     const { email, password, totpCode, backupCode, csrfToken, captchaToken } = c.req.valid('json');
 
     const loginLimitResult = await loginRateLimit.check({
@@ -251,12 +244,6 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
     const { password, currentPassword } = c.req.valid('json');
     const requestMetadata = c.get('requestMetadata');
 
-    if (!isSigninEnabledForProvider('email')) {
-      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
-        statusCode: 400,
-      });
-    }
-
     const { session, user } = await getSession(c);
 
     await updatePassword({
@@ -359,12 +346,6 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   .post('/forgot-password', sValidator('json', ZForgotPasswordSchema), async (c) => {
     const requestMetadata = c.get('requestMetadata');
 
-    if (!isSigninEnabledForProvider('email')) {
-      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
-        statusCode: 400,
-      });
-    }
-
     const { email } = c.req.valid('json');
 
     const forgotLimitResult = await forgotPasswordRateLimit.check({
@@ -396,12 +377,6 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   .post('/reset-password', sValidator('json', ZResetPasswordSchema), async (c) => {
     const requestMetadata = c.get('requestMetadata');
 
-    if (!isSigninEnabledForProvider('email')) {
-      throw new AppError(AuthenticationErrorCode.SigninDisabled, {
-        statusCode: 400,
-      });
-    }
-
     const { token, password } = c.req.valid('json');
 
     const resetLimitResult = await resetPasswordRateLimit.check({

packages/lib/constants/auth.ts

@@ -41,14 +41,6 @@ export const IS_OIDC_SSO_ENABLED = Boolean(
 
 export const OIDC_PROVIDER_LABEL = env('NEXT_PRIVATE_OIDC_PROVIDER_LABEL');
 
-/**
- * Opt-out flag for the automatic OIDC redirect.
- *
- * When OIDC is the only enabled signin transport we redirect to the provider
- * automatically. Set this to "true" to keep rendering the signin page instead.
- */
-export const IS_OIDC_AUTO_REDIRECT_DISABLED = env('NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT') === 'true';
-
 export const USER_SECURITY_AUDIT_LOG_MAP: Record<string, string> = {
   ACCOUNT_SSO_LINK: 'Linked account to SSO',
   ACCOUNT_SSO_UNLINK: 'Unlinked account from SSO',
@@ -196,22 +188,3 @@ export const isSignupEnabledForProvider = (provider: 'email' | 'google' | 'micro
 
   return env(flagMap[provider]) !== 'true';
 };
-
-/**
- * Check if signin is enabled for the given provider.
- * The master switch takes precedence over the per-provider flags.
- */
-export const isSigninEnabledForProvider = (provider: 'email' | 'google' | 'microsoft' | 'oidc'): boolean => {
-  if (env('NEXT_PUBLIC_DISABLE_SIGNIN') === 'true') {
-    return false;
-  }
-
-  const flagMap = {
-    email: 'NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN',
-    google: 'NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN',
-    microsoft: 'NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN',
-    oidc: 'NEXT_PUBLIC_DISABLE_OIDC_SIGNIN',
-  } as const;
-
-  return env(flagMap[provider]) !== 'true';
-};

packages/lib/constants/branding.ts

@@ -9,3 +9,13 @@
  * cap so a malicious or runaway payload can't exhaust PostCSS/server memory.
  */
 export const BRANDING_CSS_MAX_LENGTH = 256 * 1024;
+
+/**
+ * Branding logo upload constraints. Enforced server-side at the TRPC request
+ * boundary (`zfdBrandingImageFile`) and reused by the client form for matching UX.
+ */
+export const BRANDING_LOGO_MAX_SIZE_MB = 5;
+
+export const BRANDING_LOGO_MAX_SIZE_BYTES = BRANDING_LOGO_MAX_SIZE_MB * 1024 * 1024;
+
+export const BRANDING_LOGO_ALLOWED_TYPES: string[] = ['image/jpeg', 'image/png', 'image/webp'];

packages/lib/server-only/branding/store-branding-logo.ts

@@ -0,0 +1,26 @@
+import { AppError, AppErrorCode } from '../../errors/app-error';
+import { putFileServerSide } from '../../universal/upload/put-file.server';
+import { optimiseBrandingLogo } from '../../utils/images/logo';
+
+/**
+ * Validate, sanitise and store an uploaded branding logo. Returns the
+ * `JSON.stringify({ type, data })` reference persisted in the `brandingLogo`
+ * column (the same format the serving endpoints already expect).
+ */
+export const buildBrandingLogoData = async (file: File): Promise<string> => {
+  const buffer = Buffer.from(await file.arrayBuffer());
+
+  const optimised = await optimiseBrandingLogo(buffer).catch(() => {
+    throw new AppError(AppErrorCode.INVALID_BODY, {
+      message: 'The branding logo must be a valid image file.',
+    });
+  });
+
+  const documentData = await putFileServerSide({
+    name: 'branding-logo.png',
+    type: 'image/png',
+    arrayBuffer: async () => Promise.resolve(optimised),
+  });
+
+  return JSON.stringify(documentData);
+};

packages/lib/translations/de/web.po

@@ -8917,11 +8917,6 @@ msgstr "Weiterleitungs-URL"
 msgid "Redirecting"
 msgstr "Weiterleitung"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/en/web.po

@@ -8908,11 +8908,6 @@ msgstr "Redirect URL"
 msgid "Redirecting"
 msgstr "Redirecting"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr "Redirecting to {0}..."
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/es/web.po

@@ -8917,11 +8917,6 @@ msgstr "URL de redirección"
 msgid "Redirecting"
 msgstr "Redireccionando"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/fr/web.po

@@ -8424,7 +8424,7 @@ msgstr "Veuillez réessayer ou contacter notre support."
 #. placeholder {0}: `'${t(deleteMessage)}'`
 #: apps/remix/app/components/dialogs/envelope-delete-dialog.tsx
 msgid "Please type {0} to confirm"
-msgstr "Veuillez taper {0} pour confirmer"
+msgstr "Veuiillez taper {0} pour confirmer"
 
 #. placeholder {0}: user.email
 #: apps/remix/app/components/dialogs/account-delete-dialog.tsx
@@ -8917,11 +8917,6 @@ msgstr "URL de redirection"
 msgid "Redirecting"
 msgstr "Redirection"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/it/web.po

@@ -8917,11 +8917,6 @@ msgstr "URL di reindirizzamento"
 msgid "Redirecting"
 msgstr "Reindirizzamento"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/ja/web.po

@@ -8917,11 +8917,6 @@ msgstr "リダイレクト URL"
 msgid "Redirecting"
 msgstr "リダイレクト中"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/ko/web.po

@@ -8917,11 +8917,6 @@ msgstr "리디렉션 URL"
 msgid "Redirecting"
 msgstr "리디렉션 중"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/nl/web.po

@@ -8917,11 +8917,6 @@ msgstr "Redirect-URL"
 msgid "Redirecting"
 msgstr "Doorsturen"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/pl/web.po

@@ -8918,11 +8918,6 @@ msgstr "Adres URL przekierowania"
 msgid "Redirecting"
 msgstr "Przekierowywanie"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/pt-BR/web.po

@@ -8908,11 +8908,6 @@ msgstr "URL de Redirecionamento"
 msgid "Redirecting"
 msgstr "Redirecionando"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/translations/zh/web.po

@@ -8917,11 +8917,6 @@ msgstr "重定向 URL"
 msgid "Redirecting"
 msgstr "正在重定向"
 
-#. placeholder {0}: oidcProviderLabel || 'OIDC'
-#: apps/remix/app/routes/_unauthenticated+/signin.tsx
-msgid "Redirecting to {0}..."
-msgstr ""
-
 #: apps/remix/app/components/forms/signup.tsx
 #: apps/remix/app/components/general/claim-account.tsx
 msgid "Registration Successful"

packages/lib/universal/upload/put-file.ts

@@ -1,10 +1,5 @@
-import { env } from '@documenso/lib/utils/env';
-import type { TGetPresignedPostUrlResponse, TUploadPdfResponse } from '@documenso/remix/server/api/files/files.types';
-import { DocumentDataType } from '@prisma/client';
-import { base64 } from '@scure/base';
-import { match } from 'ts-pattern';
+import type { TUploadPdfResponse } from '@documenso/remix/server/api/files/files.types';
 
-import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { AppError } from '../../errors/app-error';
 
 type File = {
@@ -58,68 +53,3 @@ export const putPdfFile = async (file: File, options?: PutFileOptions) => {
 
   return result;
 };
-
-/**
- * Uploads a file to the appropriate storage location.
- */
-export const putFile = async (file: File, options?: PutFileOptions) => {
-  const NEXT_PUBLIC_UPLOAD_TRANSPORT = env('NEXT_PUBLIC_UPLOAD_TRANSPORT');
-
-  return await match(NEXT_PUBLIC_UPLOAD_TRANSPORT)
-    .with('s3', async () => putFileInObjectStorage(file, {}, options))
-    .with('azure-blob', async () => putFileInObjectStorage(file, { 'x-ms-blob-type': 'BlockBlob' }, options))
-    .otherwise(async () => putFileInDatabase(file));
-};
-
-const putFileInDatabase = async (file: File) => {
-  const contents = await file.arrayBuffer();
-
-  const binaryData = new Uint8Array(contents);
-
-  const asciiData = base64.encode(binaryData);
-
-  return {
-    type: DocumentDataType.BYTES_64,
-    data: asciiData,
-  };
-};
-
-const putFileInObjectStorage = async (file: File, extraHeaders: Record<string, string>, options?: PutFileOptions) => {
-  const getPresignedUrlResponse = await fetch(`${NEXT_PUBLIC_WEBAPP_URL()}/api/files/presigned-post-url`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      ...buildUploadAuthHeaders(options),
-    },
-    body: JSON.stringify({
-      fileName: file.name,
-      contentType: file.type,
-    }),
-  });
-
-  if (!getPresignedUrlResponse.ok) {
-    throw new Error(`Failed to get presigned post url, failed with status code ${getPresignedUrlResponse.status}`);
-  }
-
-  const { url, key }: TGetPresignedPostUrlResponse = await getPresignedUrlResponse.json();
-
-  const body = await file.arrayBuffer();
-
-  const response = await fetch(url, {
-    method: 'PUT',
-    headers: {
-      'Content-Type': 'application/octet-stream',
-      ...extraHeaders,
-    },
-    body,
-  });
-
-  if (!response.ok) {
-    throw new Error(`Failed to upload file "${file.name}", failed with status code ${response.status}`);
-  }
-
-  return {
-    type: DocumentDataType.S3_PATH,
-    data: key,
-  };
-};

packages/lib/utils/images/logo.ts

@@ -8,3 +8,15 @@ export const loadLogo = async (file: Uint8Array) => {
     content,
   };
 };
+
+/**
+ * Validate and sanitise an uploaded branding logo. Re-encoding through `sharp`
+ * proves the bytes are a real raster image and strips any embedded payloads.
+ * Throws if the input cannot be parsed as an image.
+ */
+export const optimiseBrandingLogo = async (input: Buffer | Uint8Array): Promise<Buffer> => {
+  return await sharp(input)
+    .resize(512, 512, { fit: 'inside', withoutEnlargement: true })
+    .png({ quality: 80 })
+    .toBuffer();
+};

packages/trpc/server/organisation-router/router.ts

@@ -20,6 +20,7 @@ import { getOrganisationsRoute } from './get-organisations';
 import { leaveOrganisationRoute } from './leave-organisation';
 import { resendOrganisationMemberInviteRoute } from './resend-organisation-member-invite';
 import { updateOrganisationRoute } from './update-organisation';
+import { updateOrganisationBrandingLogoRoute } from './update-organisation-branding-logo';
 import { updateOrganisationGroupRoute } from './update-organisation-group';
 import { updateOrganisationMemberRoute } from './update-organisation-members';
 import { updateOrganisationSettingsRoute } from './update-organisation-settings';
@@ -55,6 +56,7 @@ export const organisationRouter = router({
   },
   settings: {
     update: updateOrganisationSettingsRoute,
+    updateBrandingLogo: updateOrganisationBrandingLogoRoute,
   },
   internal: {
     getOrganisationSession: getOrganisationSessionRoute,

packages/trpc/server/organisation-router/update-organisation-branding-logo.ts

@@ -0,0 +1,69 @@
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/organisations';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { buildBrandingLogoData } from '@documenso/lib/server-only/branding/store-branding-logo';
+import { getOrganisationClaim } from '@documenso/lib/server-only/organisation/get-organisation-claims';
+import { buildOrganisationWhereQuery } from '@documenso/lib/utils/organisations';
+import { prisma } from '@documenso/prisma';
+
+import { authenticatedProcedure } from '../trpc';
+import {
+  ZUpdateOrganisationBrandingLogoRequestSchema,
+  ZUpdateOrganisationBrandingLogoResponseSchema,
+} from './update-organisation-branding-logo.types';
+
+export const updateOrganisationBrandingLogoRoute = authenticatedProcedure
+  .input(ZUpdateOrganisationBrandingLogoRequestSchema)
+  .output(ZUpdateOrganisationBrandingLogoResponseSchema)
+  .mutation(async ({ ctx, input }) => {
+    const { user } = ctx;
+    const { payload, brandingLogo } = input;
+    const { organisationId } = payload;
+
+    ctx.logger.info({
+      input: {
+        organisationId,
+      },
+    });
+
+    const organisation = await prisma.organisation.findFirst({
+      where: buildOrganisationWhereQuery({
+        organisationId,
+        userId: user.id,
+        roles: ORGANISATION_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_ORGANISATION'],
+      }),
+    });
+
+    if (!organisation) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You do not have permission to update this organisation.',
+      });
+    }
+
+    // Setting a logo requires the custom-branding entitlement; clearing it is
+    // always allowed so a downgraded organisation can still remove its logo.
+    if (brandingLogo && IS_BILLING_ENABLED()) {
+      const claim = await getOrganisationClaim({ organisationId });
+
+      if (claim.flags?.allowCustomBranding !== true) {
+        throw new AppError(AppErrorCode.UNAUTHORIZED, {
+          message: 'Your plan does not allow custom branding.',
+        });
+      }
+    }
+
+    const brandingLogoValue = brandingLogo ? await buildBrandingLogoData(brandingLogo) : '';
+
+    await prisma.organisation.update({
+      where: {
+        id: organisation.id,
+      },
+      data: {
+        organisationGlobalSettings: {
+          update: {
+            brandingLogo: brandingLogoValue,
+          },
+        },
+      },
+    });
+  });

packages/trpc/server/organisation-router/update-organisation-branding-logo.types.ts

@@ -0,0 +1,17 @@
+import { z } from 'zod';
+import { zfd } from 'zod-form-data';
+
+import { zfdBrandingImageFile, zodFormData } from '../../utils/zod-form-data';
+
+export const ZUpdateOrganisationBrandingLogoRequestSchema = zodFormData({
+  payload: zfd.json(
+    z.object({
+      organisationId: z.string(),
+    }),
+  ),
+  brandingLogo: zfdBrandingImageFile().optional(),
+});
+
+export const ZUpdateOrganisationBrandingLogoResponseSchema = z.void();
+
+export type TUpdateOrganisationBrandingLogoRequest = z.infer<typeof ZUpdateOrganisationBrandingLogoRequestSchema>;

packages/trpc/server/organisation-router/update-organisation-settings.ts

@@ -44,7 +44,6 @@ export const updateOrganisationSettingsRoute = authenticatedProcedure
 
       // Branding related settings.
       brandingEnabled,
-      brandingLogo,
       brandingUrl,
       brandingCompanyDetails,
       brandingColors,
@@ -174,7 +173,6 @@ export const updateOrganisationSettingsRoute = authenticatedProcedure
 
             // Branding related settings.
             brandingEnabled,
-            brandingLogo,
             brandingUrl,
             brandingCompanyDetails,
             brandingColors: normalizedBrandingColors === null ? Prisma.DbNull : normalizedBrandingColors,

packages/trpc/server/organisation-router/update-organisation-settings.types.ts

@@ -32,7 +32,6 @@ export const ZUpdateOrganisationSettingsRequestSchema = z.object({
 
     // Branding related settings.
     brandingEnabled: z.boolean().optional(),
-    brandingLogo: z.string().optional(),
     brandingUrl: z.string().optional(),
     brandingCompanyDetails: z.string().optional(),
     brandingColors: ZCssVarsSchema.nullish(),

packages/trpc/server/team-router/delete-team-group.ts

@@ -53,15 +53,6 @@ export const deleteTeamGroupRoute = authenticatedProcedure
       });
     }
 
-    // You cannot delete internal team groups. These are the system-managed
-    // admin/manager/member groups that back the team's role-based access, and
-    // deleting them would silently strip team members of their access.
-    if (group.organisationGroup.type === OrganisationGroupType.INTERNAL_TEAM) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You are not allowed to delete internal team groups',
-      });
-    }
-
     // You cannot delete internal organisation groups.
     // The only exception is deleting the "member" organisation group which is used to allow
     // all organisation members to access a team.

packages/trpc/server/team-router/router.ts

@@ -25,6 +25,7 @@ import {
   ZUpdateTeamEmailMutationSchema,
 } from './schema';
 import { updateTeamRoute } from './update-team';
+import { updateTeamBrandingLogoRoute } from './update-team-branding-logo';
 import { updateTeamGroupRoute } from './update-team-group';
 import { updateTeamMemberRoute } from './update-team-member';
 import { updateTeamSettingsRoute } from './update-team-settings';
@@ -50,6 +51,7 @@ export const teamRouter = router({
   },
   settings: {
     update: updateTeamSettingsRoute,
+    updateBrandingLogo: updateTeamBrandingLogoRoute,
   },
 
   // Old routes (to be migrated)

packages/trpc/server/team-router/update-team-branding-logo.ts

@@ -0,0 +1,69 @@
+import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/teams';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { buildBrandingLogoData } from '@documenso/lib/server-only/branding/store-branding-logo';
+import { getOrganisationClaimByTeamId } from '@documenso/lib/server-only/organisation/get-organisation-claims';
+import { buildTeamWhereQuery } from '@documenso/lib/utils/teams';
+import { prisma } from '@documenso/prisma';
+
+import { authenticatedProcedure } from '../trpc';
+import {
+  ZUpdateTeamBrandingLogoRequestSchema,
+  ZUpdateTeamBrandingLogoResponseSchema,
+} from './update-team-branding-logo.types';
+
+export const updateTeamBrandingLogoRoute = authenticatedProcedure
+  .input(ZUpdateTeamBrandingLogoRequestSchema)
+  .output(ZUpdateTeamBrandingLogoResponseSchema)
+  .mutation(async ({ ctx, input }) => {
+    const { user } = ctx;
+    const { payload, brandingLogo } = input;
+    const { teamId } = payload;
+
+    ctx.logger.info({
+      input: {
+        teamId,
+      },
+    });
+
+    const team = await prisma.team.findFirst({
+      where: buildTeamWhereQuery({
+        teamId,
+        userId: user.id,
+        roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+      }),
+    });
+
+    if (!team) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You do not have permission to update this team.',
+      });
+    }
+
+    // Setting a logo requires the custom-branding entitlement; clearing it is
+    // always allowed so a downgraded team can still remove its logo.
+    if (brandingLogo && IS_BILLING_ENABLED()) {
+      const claim = await getOrganisationClaimByTeamId({ teamId });
+
+      if (claim.flags?.allowCustomBranding !== true) {
+        throw new AppError(AppErrorCode.UNAUTHORIZED, {
+          message: 'Your plan does not allow custom branding.',
+        });
+      }
+    }
+
+    const brandingLogoValue = brandingLogo ? await buildBrandingLogoData(brandingLogo) : '';
+
+    await prisma.team.update({
+      where: {
+        id: team.id,
+      },
+      data: {
+        teamGlobalSettings: {
+          update: {
+            brandingLogo: brandingLogoValue,
+          },
+        },
+      },
+    });
+  });

packages/trpc/server/team-router/update-team-branding-logo.types.ts

@@ -0,0 +1,17 @@
+import { z } from 'zod';
+import { zfd } from 'zod-form-data';
+
+import { zfdBrandingImageFile, zodFormData } from '../../utils/zod-form-data';
+
+export const ZUpdateTeamBrandingLogoRequestSchema = zodFormData({
+  payload: zfd.json(
+    z.object({
+      teamId: z.number(),
+    }),
+  ),
+  brandingLogo: zfdBrandingImageFile().optional(),
+});
+
+export const ZUpdateTeamBrandingLogoResponseSchema = z.void();
+
+export type TUpdateTeamBrandingLogoRequest = z.infer<typeof ZUpdateTeamBrandingLogoRequestSchema>;

packages/trpc/server/team-router/update-team-group.ts

@@ -45,12 +45,9 @@ export const updateTeamGroupRoute = authenticatedProcedure
       });
     }
 
-    if (
-      teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_ORGANISATION ||
-      teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_TEAM
-    ) {
+    if (teamGroup.organisationGroup.type === OrganisationGroupType.INTERNAL_ORGANISATION) {
       throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You are not allowed to update internal groups',
+        message: 'You are not allowed to update internal organisation groups',
       });
     }
 

packages/trpc/server/team-router/update-team-settings.ts

@@ -42,7 +42,6 @@ export const updateTeamSettingsRoute = authenticatedProcedure
 
       // Branding related settings.
       brandingEnabled,
-      brandingLogo,
       brandingUrl,
       brandingCompanyDetails,
       brandingColors,
@@ -176,7 +175,6 @@ export const updateTeamSettingsRoute = authenticatedProcedure
 
             // Branding related settings.
             brandingEnabled,
-            brandingLogo,
             brandingUrl,
             brandingCompanyDetails,
             brandingColors: normalizedBrandingColors === null ? Prisma.DbNull : normalizedBrandingColors,

packages/trpc/server/team-router/update-team-settings.types.ts

@@ -35,7 +35,6 @@ export const ZUpdateTeamSettingsRequestSchema = z.object({
 
     // Branding related settings.
     brandingEnabled: z.boolean().nullish(),
-    brandingLogo: z.string().nullish(),
     brandingUrl: z.string().nullish(),
     brandingCompanyDetails: z.string().nullish(),
     brandingColors: ZCssVarsSchema.nullish(),

packages/trpc/utils/zod-form-data.ts

@@ -1,4 +1,9 @@
 import { APP_DOCUMENT_UPLOAD_SIZE_LIMIT } from '@documenso/lib/constants/app';
+import {
+  BRANDING_LOGO_ALLOWED_TYPES,
+  BRANDING_LOGO_MAX_SIZE_BYTES,
+  BRANDING_LOGO_MAX_SIZE_MB,
+} from '@documenso/lib/constants/branding';
 import { megabytesToBytes } from '@documenso/lib/universal/unit-convertions';
 import type { ZodRawShape } from 'zod';
 import z from 'zod';
@@ -17,6 +22,21 @@ export const zfdFile = () => {
   });
 };
 
+/**
+ * A `zfd.file()` schema constrained to branding-logo images: size-limited and
+ * restricted to a MIME allowlist. Use for server-side branding logo uploads.
+ */
+export const zfdBrandingImageFile = () => {
+  return zfd
+    .file()
+    .refine((file) => file.size <= BRANDING_LOGO_MAX_SIZE_BYTES, {
+      message: `File cannot be larger than ${BRANDING_LOGO_MAX_SIZE_MB}MB`,
+    })
+    .refine((file) => BRANDING_LOGO_ALLOWED_TYPES.includes(file.type), {
+      message: 'File must be a JPG, PNG, or WebP image',
+    });
+};
+
 /**
  * This helper takes the place of the `z.object` at the root of your schema.
  * It wraps your schema in a `z.preprocess` that extracts all the data out of a `FormData`

packages/tsconfig/process-env.d.ts

@@ -93,13 +93,6 @@ declare namespace NodeJS {
     NEXT_PUBLIC_DISABLE_OIDC_SIGNUP?: string;
     NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS?: string;
 
-    NEXT_PUBLIC_DISABLE_SIGNIN?: string;
-    NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN?: string;
-    NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN?: string;
-    NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN?: string;
-    NEXT_PUBLIC_DISABLE_OIDC_SIGNIN?: string;
-    NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT?: string;
-
     NEXT_PRIVATE_BROWSERLESS_URL?: string;
 
     NEXT_PRIVATE_JOBS_PROVIDER?: 'inngest' | 'local' | 'bullmq';

render.yaml

@@ -163,18 +163,6 @@ services:
         sync: false
       - key: NEXT_PUBLIC_DISABLE_OIDC_SIGNUP
         sync: false
-      - key: NEXT_PUBLIC_DISABLE_SIGNIN
-        sync: false
-      - key: NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN
-        sync: false
-      - key: NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN
-        sync: false
-      - key: NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN
-        sync: false
-      - key: NEXT_PUBLIC_DISABLE_OIDC_SIGNIN
-        sync: false
-      - key: NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT
-        sync: false
       - key: NEXT_PUBLIC_USE_INTERNAL_URL_BROWSERLESS
         sync: false
 

turbo.json

@@ -53,12 +53,6 @@
     "NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP",
     "NEXT_PUBLIC_DISABLE_OIDC_SIGNUP",
     "NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS",
-    "NEXT_PUBLIC_DISABLE_SIGNIN",
-    "NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNIN",
-    "NEXT_PUBLIC_DISABLE_GOOGLE_SIGNIN",
-    "NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNIN",
-    "NEXT_PUBLIC_DISABLE_OIDC_SIGNIN",
-    "NEXT_PUBLIC_DISABLE_OIDC_AUTO_REDIRECT",
     "NEXT_PRIVATE_PLAIN_API_KEY",
     "NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT",
     "NEXT_PRIVATE_DOCUMENSO_LICENSE_KEY",